IMPORTANT - New RCs for Security Bug CVE-2016-9587

Archives Ansible Project
1

Hi all,

Today we are releasing two new release candidates to address CVE-2016-9587,
which we are removing from embargo today:

2.1.4 RC1
2.2.1 RC3

CVE-2016-9587 is rated as HIGH in risk, as a compromised remote system being managed
via Ansible can lead to commands being run on the Ansible controller (as the user
running the ansible or ansible-playbook command).

If you have the ability, please test the above release candidates so that we can get
the final releases out as quickly as possible.

Finally, thanks to the security team at Computest, who did an amazing job of finding
the flaws and creating an excellent set of tests to reproduce them for us.

Thanks, and let us know if you run into any problems with the above release candidates!

2

Hi,

there is a new bug with service restart and refresh on Solaris 10.
I added a comment in https://github.com/ansible/ansible-modules-core/issues/5296 where the bug was introduced (with a fix for Solaris 11).

Regards,
Bernhard

3

Please don’t comment on closed issues as we don’t see those normally.

4

I’m sorry.
Opened a new issue: https://github.com/ansible/ansible/issues/20102

5

Are you will add in debian repository the fixes ?

Thank for your support

6

Does this apply to ansible 1.9?

7

Most older versions should be vulnerable, we recommend upgrading to 2.1 or 2.2 once we release the fix.